From 238c967c8b8b8ef343b992ccc03bb062201d1bde Mon Sep 17 00:00:00 2001
From: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date: Tue, 26 Nov 2024 15:03:01 +0100
Subject: [PATCH] feat: add skip_verify

---
 kubernetes/README.md                        |  5 +++--
 kubernetes/vault_snapshot/vault_snapshot.py | 14 +++++++++++---
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/kubernetes/README.md b/kubernetes/README.md
index c971d77..721ce54 100644
--- a/kubernetes/README.md
+++ b/kubernetes/README.md
@@ -11,8 +11,9 @@ After the snapshot is created in a temporary directory, `s3cmd` is used to sync
 ## Configuration over environment variables
 
 * `VAULT_ADDR`  - Vault address to access
-* `VAULT_TOKEN` - optional Vault token (if provided, overrules `VAULT_ROLE`)
-* `VAULT_ROLE` - Vault role to use to create the snapshot
+* `VAULT_TOKEN` - Vault token (if provided, overrules `VAULT_ROLE`)
+* `VAULT_SKIP_VERIFY` - optional, set to any value to skip TLS verification
+* `VAULT_ROLE` - Vault role to create the snapshot. Required when no `VAULT_TOKEN`.
 * `S3_BUCKET` - S3 bucket to point to
 * `S3_HOST` - S3 endpoint
 * `S3_EXPIRE_DAYS` - Delete files older than this threshold (expired)
diff --git a/kubernetes/vault_snapshot/vault_snapshot.py b/kubernetes/vault_snapshot/vault_snapshot.py
index 384cb15..47f5854 100755
--- a/kubernetes/vault_snapshot/vault_snapshot.py
+++ b/kubernetes/vault_snapshot/vault_snapshot.py
@@ -29,6 +29,13 @@ def __init__(self, **kwargs):
         else:
             raise NameError("VAULT_ADDR undefined")
 
+        if "vault_skip_verify" in kwargs:
+            self.verify = False
+        elif "VAULT_SKIP_VERIFY" in os.environ:
+            self.verify = False
+        else:
+            self.verify = True
+
         if "vault_token" in kwargs:
             self.vault_token = kwargs["vault_token"]
         elif "VAULT_TOKEN" in os.environ:
@@ -91,7 +98,8 @@ def __init__(self, **kwargs):
                          aws_secret_access_key=self.s3_secret_access_key)
 
         self.logger.info(f"Connecting to Vault API {self.vault_addr}")
-        self.hvac_client = hvac.Client(url=self.vault_addr)
+        self.hvac_client = hvac.Client(url=self.vault_addr,
+                                       verify=self.verify)
 
         # try setting VAULT_TOKEN if exists
         if hasattr(self, "vault_token") and len(self.vault_token) > 0:
@@ -153,8 +161,8 @@ def snapshot(self):
         for o in objs:
             self.logger.info(f"LastModified: {o['LastModified']}")
             # expire keys when older than S3_EXPIRE_DAYS
-            if self.s3_expire_days >= 0:
-                if o["LastModified"] <= datetime.now(UTC) - timedelta(days=self.s3_expire_days):
+            if int(self.s3_expire_days) >= 0:
+                if o["LastModified"] <= datetime.now(UTC) - timedelta(days=int(self.s3_expire_days)):
                     self.logger.info(f"Deleting expired snapshot {o['Key']}")
                     s3.Object(self.s3_bucket, o["Key"]).delete()